qiujiandong1
c1d4f578e7
Reviewed-by: Rumpler, Mihály <mihaly.rumpler@t-systems.com> Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com> Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
111 KiB
Permissions
If you need to grant your enterprise personnel permission to access your Cloud Eye resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your cloud resources.
With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use Cloud Eye resources but should not be allowed to delete the resources or perform any other high-risk operations. In this scenario, you can create IAM users for the software developers and grant them only the permissions required for using Cloud Eye resources.
If your account does not require individual IAM users for permissions management, skip this section.
IAM is a free service. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
Cloud Eye Permissions
By default, IAM users do not have permissions. To assign permissions to IAM users, add them to one or more groups, and attach policies or roles to these groups. The users then inherit permissions from the groups to which the users belong, and can perform specific operations on cloud services.
Cloud Eye is a project-level service deployed and accessed in specific physical regions. Therefore, Cloud Eye permissions are assigned to users in specific regions and only take effect in these regions. If you want the permissions to take effect in all regions, you need to assign the permissions to users in each region. When users access Cloud Eye, they need to switch to a region where they have been authorized to use this service.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant Cloud Eye users only the permissions for managing a certain type of Cloud Eye resources.
Most policies define permissions based on APIs. For the API actions supported by Cloud Eye, see Permissions Policies and Supported Actions.
Table 1 lists the system-defined policies supported by Cloud Eye.
Policy Name |
Description |
Dependency |
Type |
|---|---|---|---|
CES Administrator |
Administrator permissions for Cloud Eye |
Depends on the Tenant Guest policy. Tenant Guest: a global policy, which must be assigned in the Global project |
System-defined roles |
CES FullAccess |
Administrator permissions for Cloud Eye. Users granted these permissions can perform all operations on Cloud Eye. |
The Cloud Eye monitoring function involves querying resources of other cloud services, which requires the cloud services to support fine-grained authorization.. |
System-defined policies |
CES ReadOnlyAccess |
Read-only permissions for Cloud Eye. Users granted these permissions can only view Cloud Eye data. |
The Cloud Eye monitoring function involves querying resources of other cloud services, which requires the cloud services to support fine-grained authorization.. |
System-defined policies |
CES AgentAccess |
Permissions required for the Cloud Eye Agent to run properly NOTE:
To ensure that the CES Agent can provide services properly, you need to configure an agency. For details, see How Do I Configure an Agency?. |
None |
System-defined policies |
Table 2 lists common operations supported by the Cloud Eye system policies.
Feature |
Operation |
CES Administrator (The Tenant Guest policy must be added at the same time.) |
Tenant Guest |
CES FullAccess |
CES ReadOnlyAccess |
|---|---|---|---|---|---|
Overview |
Viewing overview |
Supported |
Supported |
Supported |
Supported |
My Dashboards |
Creating my dashboards |
Supported |
Not supported |
Supported |
Not supported |
Viewing full screen monitoring |
Supported |
Supported |
Supported |
Supported |
|
Viewing my dashboards |
Supported |
Supported |
Supported |
Supported |
|
Deleting my dashboards |
Supported |
Not supported |
Supported |
Not supported |
|
Copying my dashboards |
Supported |
Not supported |
Supported |
Not supported |
|
Adding a graph |
Supported |
Not supported |
Supported |
Not supported |
|
Viewing a graph |
Supported |
Supported |
Supported |
Supported |
|
Modifying a graph |
Supported |
Not supported |
Supported |
Not supported |
|
Deleting a graph |
Supported |
Not supported |
Supported |
Not supported |
|
Copying a monitoring view |
Supported |
Not supported |
Supported |
Not supported |
|
Adjusting the position of a graph |
Supported |
Not supported |
Supported |
Not supported |
|
Resource Groups |
Creating a resource group |
Supported |
Not supported |
Supported |
Not supported |
Viewing the resource group list |
Supported |
Supported |
Supported |
Supported |
|
Viewing resource groups (Resource Overview) |
Supported |
Supported |
Supported |
Supported |
|
Viewing resource groups (Alarm Rules) |
Supported |
Supported |
Supported |
Supported |
|
Modifying a resource group |
Supported |
Not supported |
Supported |
Not supported |
|
Deleting a resource group |
Supported |
Not supported |
Supported |
Not supported |
|
Alarm Rules |
Creating an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
Copying an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
|
Modifying an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
|
Enabling an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
|
Disabling an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
|
Deleting an alarm rule |
Supported |
Not supported |
Supported |
Not supported |
|
Querying the alarm rule list |
Supported |
Supported |
Supported |
Supported |
|
Viewing details of an alarm rule |
Supported |
Supported |
Supported |
Supported |
|
Alarm Records |
Viewing a graph |
Supported |
Supported |
Supported |
Supported |
Viewing alarm records |
Supported |
Supported |
Supported |
Supported |
|
Exporting alarm records |
Supported |
Not supported |
Supported |
Not supported |
|
Alarm Templates |
Viewing the default metric/event template |
Supported |
Supported |
Supported |
Supported |
Viewing a custom metric/event template |
Supported |
Supported |
Supported |
Supported |
|
Creating a custom metric/event template |
Supported |
Not supported |
Supported |
Not supported |
|
Modifying a custom metric/event template |
Supported |
Not supported |
Supported |
Not supported |
|
Copying a metric/event template |
Supported |
Not supported |
Supported |
Not supported |
|
Importing a custom metric/event template |
Supported |
Not supported |
Supported |
Not supported |
|
Exporting a custom metric/event template |
Supported |
Not supported |
Supported |
Supported |
|
Deleting a custom metric/event template |
Supported |
Not supported |
Supported |
Not supported |
|
One-Click Monitoring |
Enable one-click monitoring |
Supported |
Not supported |
Supported |
Not supported |
Viewing one-click monitoring |
Supported |
Supported |
Supported |
Supported |
|
Modifying one-click monitoring |
Supported |
Not supported |
Supported |
Not supported |
|
Disabling one-click monitoring |
Supported |
Not supported |
Supported |
Not supported |
|
Server Monitoring |
Viewing the server list |
Supported |
Supported |
Supported |
Supported |
Viewing server monitoring metrics |
Supported |
Supported |
Supported |
Supported |
|
Installing the Agent |
√ (You must have the ECS FullAccess permission.) |
Not supported |
√ (You must have the ECS FullAccess permission.) |
Not supported |
|
Enabling one-click configuration |
√ (You must have the Security Administrator and ECS FullAccess permissions.) |
Not supported |
√ (You must have the Security Administrator and ECS FullAccess permissions.) |
Not supported |
|
Uninstalling the Agent |
√ (You must have the ECS FullAccess permission.) |
Not supported |
√ (You must have the ECS FullAccess permission.) |
Not supported |
|
Configuring process monitoring |
Supported |
Not supported |
Supported |
Not supported |
|
Configuring monitoring for a process |
Supported |
Not supported |
Supported |
Not supported |
|
Cloud Service Monitoring |
Viewing the cloud service list |
Supported |
Supported |
Supported (Cloud services need to support fine-grained authorization.) |
Supported (Cloud services need to support fine-grained authorization.) |
Querying cloud service metrics |
Supported |
Supported |
Supported |
Supported |
|
Custom Monitoring |
Adding custom monitoring data |
Supported |
Not supported |
Supported |
Not supported |
Viewing the custom monitoring list |
Supported |
Supported |
Supported |
Supported |
|
Viewing custom monitoring data |
Supported |
Supported |
Supported |
Supported |
|
Event Monitoring |
Adding a custom event |
Supported |
Not supported |
Supported |
Not supported |
Viewing the event list |
Supported |
Supported |
Supported |
Supported |
|
Viewing details of an event |
Supported |
Supported |
Supported |
Supported |
|
Data Dumping to DMS for Kafka |
Creating a dump task |
Supported |
Not supported |
Supported |
Not supported |
Querying data dumping tasks |
Supported |
Supported |
Supported |
Supported |
|
Querying a specified data dump task |
Supported |
Supported |
Supported |
Supported |
|
Modifying a data dump task |
Supported |
Not supported |
Supported |
Not supported |
|
Starting a data dump task |
Supported |
Not supported |
Supported |
Not supported |
|
Stopping a data dump task |
Supported |
Not supported |
Supported |
Not supported |
|
Deleting a data dump task |
Supported |
Not supported |
Supported |
Not supported |
|
Others |
Exporting monitoring data |
Supported |
Not supported |
Supported |
Not supported |
Task Center |
Viewing an export task |
Supported |
Supported |
Supported |
Supported |
Downloading exported results |
Supported |
Not supported |
Supported |
Not supported |
|
Deleting an export task |
Supported |
Not supported |
Supported |
Not supported |
If the system-defined policies and roles cannot meet your requirements, you can create custom policies and apply these policies to user groups for refined access control. For more information, see Cloud Eye Custom Policies.
The following table lists fine-grained actions and dependencies for Cloud Eye.
Action |
Description |
Dependencies |
Scenario |
|---|---|---|---|
ces:alarmHistory:list |
Grants permission to list historical alarms. |
- |
Querying historical alarms |
ces:alarms:list |
Grants permission to query alarm rules. |
- |
Querying alarm rules |
ces:alarms:get |
Grants permission to query details of an alarm rule. |
- |
Querying details of an alarm rule |
ces:alarms:create |
Grants permission to create an alarm rule. |
ces:namespaces:list, ces:namespacesDimensions:list, ces:sysEventsNames:list, ces:resourceGroups:get, ces:resourceGroups:list, ces:customAlarmTemplates:list, ces:sysAlarmTemplates:list, ces:currentRegionSupportedMetrics:list, smn:topic:list, eps:enterpriseProjects:list NOTE:
If Monitoring Scope is set to Specific resources, instance query permissions for the cloud services are also required. |
Creating an alarm rule |
ces:alarms:delete |
Grants permission to delete an alarm rule. |
ces:alarms:list |
Deleting an alarm rule |
ces:alarms:getResources |
Grants permission to query monitored resources in an alarm rule. |
ces:alarms:list |
Querying monitored resources in an alarm rule |
ces:alarms:put |
Grants permission to update an alarm rule. |
ces:alarms:list, ces:customAlarmTemplates:list, ces:sysAlarmTemplates:list, ces:currentRegionSupportedMetrics:list, smn:topic:list NOTE:
If Monitoring Scope of the alarm rule is set to Specific resources, instance query permissions for the cloud services are also required. |
Updating an alarm rule |
ces:alarmsonoff:put |
Grants permission to enable or disable an alarm rule. |
ces:alarms:list |
Enabling or disabling alarm rules |
ces:customAlarmTemplates:list |
Grants permission to query custom alarm templates. |
- |
Querying custom alarm templates |
ces:customAlarmTemplates:create |
Grants permission to create a custom template. |
ces:customAlarmTemplates:list, ces:namespaces:list, ces:namespacesDimensions:list, ces:sysEventsNames:list, ces:currentRegionSupportedMetrics:list |
Creating a custom template |
ces:customAlarmTemplates:get |
Grants permission to query details about a custom alarm template. |
ces:customAlarmTemplates:list |
Querying details about a custom alarm template |
ces:customAlarmTemplates:delete |
Grants permission to delete a custom template. |
ces:customAlarmTemplates:list |
Deleting a custom template |
ces:customAlarmTemplates:put |
Grants permission to update a custom template. |
ces:customAlarmTemplates:list, ces:namespaces:list, ces:namespacesDimensions:list, ces:sysEventsNames:list, ces:currentRegionSupportedMetrics:list |
Updating a custom template |
ces:sysAlarmTemplates:get |
Grants permission to query details about a default system alarm template. |
ces:sysAlarmTemplates:list |
Querying details about a default system alarm template |
ces:sysAlarmTemplates:list |
Grants permission to list default system alarm templates. |
- |
Listing default system alarm templates |
ces:alarmTemplates:list |
Grants permission to batch query alarm templates. |
- |
Batch querying alarm templates |
ces:events:get |
Grants permission to query details of an event. |
ces:events:list |
Querying details of an event |
ces:events:list |
Grants permission to query events. |
- |
Querying events |
ces:events:post |
Grants permission to report events. |
- |
Reporting events |
ces:metricData:create |
Grants permission to report metrics. |
- |
Reporting metrics |
ces:metricData:list |
Grants permission to query a metric. |
- |
Querying a metric |
ces:metrics:list |
Grants permission to query metrics. |
- |
Querying metrics |
ces:namespaces:list |
Grants permission to batch query namespaces. |
- |
Batch querying namespaces |
ces:namespacesDimensions:list |
Grants permission to query Agent-related metrics of a server. |
- |
Querying Agent-related metrics of a server |
ces:quotas:get |
Grants permission to query a quota. |
- |
Querying quotas |
ces:resourceGroups:create |
Grants permission to create a resource group. |
ces:namespaces:list, ces:namespacesDimensions:list, eps:enterpriseProjects:list, and instance query permissions for the selected cloud services |
Creating a resource group |
ces:resourceGroups:delete |
Grants permission to delete a resource group. |
ces:resourceGroups:get |
Deleting a resource group |
ces:resourceGroups:get |
Grants permission to query resource groups. |
- |
Querying resource groups |
ces:resourceGroups:put |
Grants permission to update a resource group. |
ces:resourceGroups:get, ces:namespaces:list, ces:namespacesDimensions:list, and instance query permissions for the selected cloud services |
Updating a resource group |
ces:resourceGroups:list |
Grants permission to list all resource groups. |
- |
Querying all resource groups |
ces:sapEventData:list |
Grants permission to query the server configuration. |
- |
Querying the server configuration |
ces:taskInvocation:post |
Grants permission to batch create Agent tasks. |
- |
Batch creating Agent tasks |
ces:taskInvocation:get |
Grants permission to list Agent tasks. |
- |
Querying the Agent tasks |
ces:oneClickAlarms:list |
Grants permission to query services and resources that support one-click monitoring. |
ces:namespacesMetrics:list |
Querying services and resources that support one-click monitoring |
ces:oneClickAlarms:post |
Grants permission to enable one-click monitoring for a cloud service. |
ces:oneClickAlarms:list, ces:namespacesMetrics:list, smn:topic:list |
Enabling one-click monitoring for a cloud service |
ces:oneClickAlarms:put |
Grants permission to enable or disable one-click monitoring for alarm rules and alarm policies. |
ces:oneClickAlarms:list, ces:namespacesMetrics:list |
Enabling or disabling one-click monitoring for alarm rules and alarm policies |
ces:oneClickAlarms:updateNotifications |
Grants permission to batch modify alarm notifications for one service in one-click monitoring. |
ces:oneClickAlarms:list, ces:namespacesMetrics:list, smn:topic:list |
Batch modifying alarm notifications for one service in one-click monitoring |
ces:oneClickAlarms:delete |
Grants permission to disable one-click monitoring for a cloud service. |
ces:oneClickAlarms:list, ces:namespacesMetrics:list |
Disabling one-click monitoring for a cloud service |
ces:agentStatus:get |
Grants permission to query the Agent status. |
- |
Querying the Agent status |
ces:agentClientPluginInfo:get |
Grants permission to batch query plug-in information of specified servers. |
- |
Batch querying plug-in information of specified servers |
ces:agentClientAvailabilityTask:get |
Grants permission to get Agent availability task details. |
- |
Getting Agent availability task details |
ces:agentTask:get |
Grants permission to batch query task invocation of specified servers. |
- |
Querying task invocation of specified server in batches |
ces:agentClientPluginInfo:put |
Grants permission to batch update the plug-in information of specified servers. |
- |
Updating the plug-in information of specified servers in batches |
ces:agentClientMonitor:put |
Grants permission to update server monitoring metrics of a specified server. |
- |
Updating the server monitoring metrics of a specified server |
ces💓post |
Grants permission to update the Agent status of a specified instance. |
- |
Updating the Agent status of a specified instance |
ces:agentClientAvailabilityTask:put |
Grants permission to update an Agent availability task. |
- |
Updating an Agent availability task |
ces:agentTask:post |
Grants permission to submit task results of a specified server. |
- |
Submitting task results of a specified server |
ces:dataShareJob:list |
Grants permission to batch query the list of data dump tasks. |
- |
Querying data dump tasks in batches |
ces:dataShareJob:get |
Grants permission to query a specified data dump task. |
ces:dataShareJob:list |
Querying a specified data dump task |
ces:dataShareJob:action |
Grants permission to start or stop a data dump task. |
ces:dataShareJob:list |
Starting or stopping a data dump task. |
ces:dataShareJob:put |
Grants permission to modify a data dump task. |
ces:dataShareJob:list, ces:namespaces:list, ces:namespacesDimensions:list, dms:instance:list, dms:instance:get |
Modifying a data dump task |
ces:dataShareJob:delete |
Grants permission to delete a specified data dump task. |
ces:dataShareJob:list |
Deleting a specified data dump task |
ces:dataShareJob:create |
Grants permission to create a data dump task. |
ces:namespaces:list, ces:namespacesDimensions:list, dms:instance:list, dms:instance:get |
Creating a data dump task |
ces:resourcesConsole:list |
Grants permission to batch query resource data of a specified namespace on the console. |
- |
Batch querying resource data of a specified namespace on the console |
ces:dashboard:listResourceStatistics |
Grants permission to query resource statistics of a specified dimension on the cloud service dashboard. |
- |
Querying resource statistics of a specified dimension on the cloud service dashboard |
ces:alarmHistoriesReportJob:list |
Grants permission to batch query tasks for alarm record reporting. |
ces:namespaces:list, ces:currentRegionSupportedMetrics:list, ces:i18n:list |
Viewing alarm record export tasks |
ces:alarmHistoriesReportJob:create |
Grants permission to batch create tasks for alarm record reporting. |
ces:alarmHistory:list |
Exporting alarm records |
ces:alarmHistoriesReportJob:delete |
Grants permission to batch delete tasks for alarm record reporting. |
ces:alarmHistoriesReportJob:list |
Deleting alarm record export tasks |
ces:metricReportJob:create |
Grants permission to batch create metric reporting tasks. |
ces:metricData:list |
Exporting monitoring data |
ces:metricReportJobs:list |
Grants permission to batch query metric reporting tasks. |
ces:namespaces:list, ces:currentRegionSupportedMetrics:list, ces:i18n:list |
Viewing monitoring data export tasks |
ces:metricReportJobs:delete |
Grants permission to batch delete metric reporting tasks. |
ces:metricReportJobs:list |
Deleting monitoring data export tasks |
ces:resourcesMetadata:list |
Grants permission to batch query resource metadata. |
- |
Batch querying resource metadata |
ces:i18n:list |
Grants permission to obtain internationalization information. |
- |
Obtaining internationalization information |
ces:currentRegionSupportedMetrics:list |
Grants permission to batch query metrics. |
- |
Batch querying metrics |
ces:metricDataExport:get |
Grants permission to export metric data. |
ces:metricData:list |
Exporting metric data |
Helpful Links
- IAM Service Overview
- Creating a User and Granting Permissions
- For the actions supported by fine-grained policies, see Permissions Policies and Supported Actions.